From 9fe1f2e918d39031852805f1add23125c061d3c3 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Wed, 23 Oct 2019 10:00:23 +0200 Subject: Tiff: Include two upstream CVE fixes in bundled libtiff For issues CVE-2019-17546 and CVE-2019-14973, the following commits were merged into the bundled libtiff: 4bb584a35f87af42d6cf09d15e9ce8909a839145 RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973) Fixes: QTBUG-79397 Change-Id: I29257e6dbfbd816224d3dbaefdbe8afecd25f288 Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Volker Hilsheimer --- src/3rdparty/libtiff/libtiff/tif_luv.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'src/3rdparty/libtiff/libtiff/tif_luv.c') diff --git a/src/3rdparty/libtiff/libtiff/tif_luv.c b/src/3rdparty/libtiff/libtiff/tif_luv.c index aa35ea0..46d2dff 100644 --- a/src/3rdparty/libtiff/libtiff/tif_luv.c +++ b/src/3rdparty/libtiff/libtiff/tif_luv.c @@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) return (SGILOGDATAFMT_UNKNOWN); } - -#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) - static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) - return 0; - return m1 * m2; + return _TIFFMultiplySSize(NULL, m1, m2, NULL); } static int -- cgit v1.2.3